In all occurrences, customers already tried some basic steps for solving similar issues, such as, enabling TCP protocol, enabling remote connection, put SQL Server named instance into firewall exception list, etc. After we tracked down to the issues, we found that it's a combination of the specifics of Windows Cluster and the way we discover SQL Server named instance. When connecting to SQL Server named instances, our client components rely on SQL Browser to discover the server and its parameters. The discovery process is:

The client sends a UDP packet to SQL Browser on the target machine. When the named instance is on a windows cluster, the packet is sent to the cluster IP (or more specifically, the IP address corresponding to the virtual SQL Server). However, SQL Browser is not cluster-aware and listens on IP ANY. When SQL Browser receives the UDP request packet, it sends a response UDP packet back the client. The destination IP address is the client's IP address, however, the source IP address is changed. It's now the IP address for the NIC card on the physical machine, rather than the virtual SQL Server IP address. The source IP address of the response UDP packet is determined by Windows OS, based on the routing table. Because both virtual SQL Server IP address and the IP address attached to physical NIC are usually on the same subnet (thus belong to same route), physical IP address is selected preferably. Depends on the security settings on the client and server machines, this response UDP packet may be dropped because the peer IP address is changed. We have been seeing that the response packet is dropped by Firewall and/or IPSec.

Windows Firewall does not drop the packet. However, a third-party firewall may drop the packet. In addition, IPSec may also drop the packet if IPSec policy is enabled on the client and it can not establish a trust connection between the client and server. (Important update: If your client is a Vista machine, you will see this issue. A workaround is to specify tcp port or pipe name in your connection string directly.)

We decided not to fix this minor issue because it is determined by the nature of UDP protocol. A UDP socket can response to multiple senders and the socket layer never knows which one it is actually replying to. We may consider letting SQL Browser listen on individual IPs but the cost will be high. A workaround is to specify TCP port number in the connection string in which case we bypass the discovery process.

Please refer to the following links for additional information. The articles talk about issue for SQL Server 2000, but it also applies to SQL Server 2005 as the fundamentals did not change.

We had a fix for this issue in SQL Server 2008. Unfortunately, the fix is still partial. We identify another issue which invalidate the fix on X64 machine. Other than that, the issue is fixed if the server is SQL Server 2008 on Vista/Windows Server 2008 on X86/IA64. We don't have to do anything on the client side for these scenario. Note: the issue still applies to all version of SQL Server 2005.

Update3: (Mar/2009)

If you upgrade your OS to Vista SP2 or Windows Server 2008 SP2, and your SQL Server 2008 is SP1, the partial issue on X64 is fixed. Meanwhile, we identified another related issue which affect the ability to enumrate SQL instances on Vista/Windows 2008 on network . The fix is also in SQL Server 2008 SP1.

Xinwei Hong, SQL Server ProtocolsDisclaimer: This posting is provided "AS IS" with no warranties, and confers no rights

Would installing SQL2005 as a default instance (instead of a named instance) help avoid the problem? Since you can only have one named instance per virtual server (in a clustered environment), what is the advantage of a named instance over a default instance anyway?

If it’s default instance, client can connect the server using default port number (1433). So, it’s not an issue unless you change the server TCP port.

For the other question, Yes. One named instance per virtual server. But, you can install multiple virtual servers on one physical machine, in which case, you would need named instances so that we can distinguish those instances on the physical machine.

Your scenario is different. Say you have IP1 on VLAN1 and IP2 on VLAN2. SQL Instance 1 listens on IP1, SQL Instance 2 listens on IP2. SQL Browser listens on IP ALL. You can only make a SQL connection to INST1 from VLAN1 and to INST2 from VLAN2. In this case, UDP packets input/output from the same IP address on the server, so no such issue. If you try to connect to INST1 from VLAN2 or INST2 from VLAN1, you will fail. But that’s because of routing, not because of Firewall issue I described.

Please let me know if your scenario is different than what I just assumed.

thanks for the feedback – our setup is slightly more complicated : SQL 2005 – two instances listening on both vlans, and one sql 2000 instance.

We were getting intermittent prelogin failures to the SQL 2005 instances, but usage is currently light so its hard to get accurate pictures.

I changed the bindings on the SQL 2005 instances so that they listen on only one VLAN and we still get the issue. I’m planning to simplify further as the second VLAN was only required for internet access for service pack 1.. so I’ll take that out of the equation, and hopefully that will cure the problem – otherwise I’ll have to start looking at removing the sql2000 instance.

The issue I mentioned in the blog only happens when you connect one IP but the return packet changed the server IP to another one. With two VLANs, networks are seperated by lower layer(link layer). IPs usually won’t be messed up. Unless your client also attachs to both VLANs, you should not see the issue I mentioned. Also, if you do have this issue, you won’t be able to connect your server at all (without the workaround). Since you see intermittent pre-login error, I believe your issue is different.

You can consider this as a bug for us, but its origin is the nature of UDP. We hope to fix this in coming releases. For now, you can either use the workaround I mentioned, or define an exception between your server and client on your client Vista machine. Thanks.

I’m trying to register a database engine (named instance of a cluster) in SQL Server Management Studio and I can’t connect. I also can’t connect if I drop down to osql. I’ve added exceptions to my firewall for ports and programs but still no luck. If I try to register or connect to the default instance of the cluster I can connect fine. It’s only the named instance which I’m having problems with. It also only happens on one PC. I hate to refresh the PC if there’s a workaround. Any ideas?

I’m trying to connect to a clustered server (SQL 2000) with two named instances on two nodes in the cluster, and i have tried setting up sql alias entries for each, using both named pipes:

\192.168.104.51pipe$$CACLMSDBINST1MSSQL$LMSINST1sqlquery

and tcp

192.168.104.51,1461

Both of which i got from the server configuration. The IP address is the sql cluster ip address, not either named instance ip, which i believe is correct.. The other variable here is i am trying to connect through a VPN. Where should i start looking next as far as firewall rules on the other side of the vpn, etc?

We have intermittent issues with connecting to named instances of Analysis Services on a cluster. So, does the initial situation described by Xinwei apply in this case? It seems that the situation described either always works or never works.

Have they come out with a Fix to this yet? I’ve prefer named instances over Default but i’ve run into this problem as well and opened ports, enabled remote connections, pinged, shared drives, folders… everything short of glueing the two servers together. It simply acts as if it doesn’t want to connect to the named instance

We had a fix in SQL Server 2008 for this issue. However, we found another issue and this issue makes the fixs does not work for x64 machine (server machine). So, if your server is SQL Server 2008 on Vista/Win2k8 on X86/IA64, you should have no problem connecting to your server even if you have firewall enabled on your client Vista/W2k8 machine. Thanks.

When I tried to create a connection to SQL Server by clciking the mdf in Database Explorer of VWD, it displayed the Error 26. However, I can attach the mdfs in Management studio and access the file at all.

I am trying to connect from Server 2008×64 to Clustered SQL 2008×64 on Server 2008×64, (named instance) and I continually get the error 26. Have checked all the issues you list. When will the fix for Server 2008 x64 – Clustered SQL 2008 be available?

I have been able to connect to Sql Express using the Data connection Wizard.But when I connect using code I have an error that says that remote connection is not possible error 40.In spite of doing all possible changes to the settings of SQL Config manager and firewall. Please help me fix this problem.Thanking you in advance.

Do you run your code and Data connection Wizard under different account? Can you make sure the account under which you run your code has permission to at least open a fileshare to the target machine(if not local)?

we installed 2 virtual server on a cluster, each with 1 named instance but no DEFAULT instance. we set the port for both instances to 1433, do we still have to specify "server=ip,1433" in the connect string?

We are about to move a very large number of databases from SQL2000 and SQL2005, on to a SQL2005 Cluster. As I am reading this article, named instance resolution on SQL2005 Clusters is going to break with Vista, and also break with any app or device that enforces strict UDP i.e. checks that the IP address of the reply matches the IP address of the original destination. This is an important test to apply because it screens off a lot of serious UDP attacks, including attacks that target SQL Server specifically.

Xinwei, you are saying the problem originates in the UDP protocol but is it not the case that this could be fixed in the SQL Browser Service? Other services can listen on specific IPs and ports, is it that expensive to have the *option* to configure SQL Browser the same way?

I also have another suggestion that you can implement which is much less expensive and makes the Browser service compliant with correct UDP checks. Have the Browser Service inspect the UDP packet header and check the destination address. If the destination address is an available direct attached interface and routable to the sender, have the Browser Service send the response packet with an origin address of this interface, via the interface. That will then pass strict UDP checking and contribute to everyone’s security.

As a bonus you could also have the Browser (optionally) discard packets that had a (forged) origin on a local interface or a (forged) destination that is not a local interface.

We really need this fixed on 2005, not just 2008. To be honest we are avoiding Vista as it’s a nightmare. But we still need our SQL2005 Cluster to work properly. Microsoft should make sure that all its supported products comply with security best practices. Sending UDP replies, with a different origin than they were originally sent to, does not comply.

I hope you will be able to do something. Thanks very much to Xinwei and other contributors for all the excellent information here, it has helped us understand this problem.

I have 2-node SQL Server 2005 Cluster which configured as Active/Passive mode, let say A node and P node. I already install 1 CRM instance on this cluster before. Now I wanna to install a second 2-node cluster on these…

The issue still isn’t fixed when running Windows 2008 Ent Server w/SP2 and SQL 2008 Ent w/SP1 and CU1. We’re running sql with 2 VLANs (1 for Production and 1 for Backups) and we’re still getting the infamous "The SQLBrowser service was unable to process a client request." error. It’s crippling our website and causing a lot of pain. You mention adding the port to our connection string as a workaround which may help, but it doesn’t help SQL Server Agent. SQL Server Agent jobs (mostly T-Log backups) fail constantly with the SNAC error above. I’m guessing it’s b/c they log in via one VIP then write the backups down the 2nd VIP?

I should note we recently upgraded the servers in-place from SQL 2005 w/SP2 and CU9 (OS stayed the same). We never experienced this issue on SQL 2005 which is ironic b/c it seems it’s been a chronic problem since the Browser’s inception. Now when it’s supposed to be fixed we finally get burned.

Please don’t let this drag out like the security cache fix for SQL 2005….took multiple tries/hotfixes to finally resolve it.

We ran into this as well. We solved the problem by adding a firewall exception rule to the Vista Client box that allowed all traffic / all ports between the client PC and the Server IP Address. We figured if the SQL Cluster got hacked we would have bigger problems than it attacking the clients.

hi! i have just installed SQL Server 2005 Management Studio. When I open the program, I am first prompted to type the server name, along with the authentication and the database name. I use my PC name as the server name. I do not know what instance name to put. Does anyone here know how I could connect to server so I can create a database? Help please. Thanks.

Using alias could be a workaround. The drawback of alias is that it has to be defined on all client machines(if you have multiple clients) and you need to update it when the server side configuration changes. Also, it’s easy to forget to delete the alias when the server is uninstalled.

On one PC I could not find any firewall software running and I had to flatten and re-load the operating system. This fixed my problem.

On another PC I was able to alter the firewall software to allow UDP on all ports both incoming and outgoing for my application. This solved the same error message 26 on that PC.

I do not know whether on a connection string it is possible to use ODBC. I only had the Error 26 when connecting from Visual Studio and C# applications. And only on specific PCs. MS Access linked tables always worked from all PCs to the SQL Cluster. Also SQL Server Management Studio was always able to connect without altering the firewall settings. If it is possible to use ODBC in a visual studio application connection string, please let me know.

Iam using EnumAvailableServers(Boolean) API of SMO to enumerate sql instances but it is returning zero list sql 2008 sp1 cluster on windows 2008 sp2. But this API is working absolutely fine for non cluster sql 2008 sp1 on win2008 sp2…

We are not aware of such an issue, and I don’t expect such an issue. But we will try repro locally to see if that’s true. Also, please note that the enumeration is not guaranteed to return all servers in the network.

A central phone provider has 300 customers that will recieve phone traffic, in a closed MPLS enviroment. But some of the service is User management that is done on a central MS-SQL cluster.

The cluster is behind a firewall. The firewall will make NAT of the Cluster VIP IP , and make it into a RIPE addres. The customer will use a Computer, and access the application with a SQL client connection. The client computer has it’s IP address changed in the Customers firewall. The traffic is between to different domains, with no trust.

When reading this blog, we made a standalone SQL server, with a default DB installation. And it works. Thanks 🙂

NOW – I need to make a cluster SQL database due to high availibility SLA. The SQL Cluster database need to have not one but 3 different DB installed. How the hell do I do this?

when connect to A1 that's failed, any relate sql port , we opened, but not work, only close the firewall it will be ok through the instance name, and our application is a web application, can not add the app to firewall exception,and our customer did not want to add the port after the instance name , is there any other idea?